b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Annual Assessment of the Internal Revenue\n                  Service Information Technology Program\n\n\n\n                                      September 28, 2012\n\n                              Reference Number: 2012-20-120\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nANNUAL ASSESSMENT OF THE                             and is expected to be placed into production in\nINTERNAL REVENUE SERVICE                             late 2012. Modernized e-File Release 7.0 was\nINFORMATION TECHNOLOGY                               implemented in January 2012; however, plans to\nPROGRAM                                              retire the Legacy e-File system in 2012 were\n                                                     revised.\n                                                     TIGTA continues to believe that the IRS\xe2\x80\x99s\nHighlights                                           Modernization Program remains a major risk.\n                                                     Improved controls are needed to ensure\nFinal Report issued on                               long-term success for two key systems within\nSeptember 28, 2012                                   the Modernization Program. The development\n                                                     and implementation of new systems for Patient\nHighlights of Reference Number: 2012-20-120          Protection and Affordable Care Act provisions\nto the Internal Revenue Service Chief                present major IT management challenges.\nTechnology Officer.                                  TIGTA suggests that the IRS continues to stress\n                                                     improvements in its overall control processes\nIMPACT ON TAXPAYERS                                  and performance, including implementing\nSuccessful modernization of IRS systems and          successful new systems, necessary to meet the\nthe development and implementation of new            IRS\xe2\x80\x99s mission-critical goals.\nInformation Technology (IT) applications is          The IRS has made progress to improve\nnecessary to meet evolving business needs.           information security and personnel safety;\nThe IRS must ensure that its computer systems        however, it needs to continue to place emphasis\nare effectively secured to protect sensitive         on information and physical security programs in\nfinancial and taxpayer data. The IRS also needs      order to ensure that policies, procedures, and\nto ensure that it leverages viable technological     practices adequately address security control\nadvances as it improves its overall operational      weaknesses. Weaknesses were identified over\nenvironment.                                         system access controls, configuration\n                                                     management, audit trails, physical security,\nWHY TIGTA DID THE AUDIT\n                                                     remediation of security weaknesses, and\nThis audit was initiated as part of the TIGTA\xe2\x80\x99s      oversight and coordination on security-related\nFiscal Year 2012 Annual Audit Plan and               issues. Until the IRS addresses security\naddresses the major management challenge of          weaknesses, it will continue to put the\nModernization. TIGTA is required by the IRS          confidentiality, integrity, and availability of\nRestructuring and Reform Act of 1998 to              financial and taxpayer information and employee\nannually perform an evaluation of the adequacy       safety at risk.\nand security of IRS technology.\n                                                     The IRS IT organization envisions becoming a\nWHAT TIGTA FOUND                                     world-class provider of IT services by focusing\n                                                     on its people, processes, and technology. It\nSince last year\xe2\x80\x99s assessment, the IRS has            implemented virtualization technology to\ndeveloped and implemented significant systems,       continue to improve operational efficiency, but\nincluding the daily processing and database          additional improvements are needed. In\nimplementation projects of the Customer              addition, the IT organization is effectively\nAccount Data Engine 2 system and a new               working human capital issues, but improvements\nrelease of the Modernized e-File system. The         are needed there also.\ndaily processing project provides individual\ntaxpayer account information to select               WHAT TIGTA RECOMMENDED\ndownstream IRS systems on a daily basis and\n                                                     Because this was an assessment report of the\nwas implemented in January 2012. The\n                                                     IRS\xe2\x80\x99s IT Program through Fiscal Year 2012,\ndatabase implementation project will establish a\n                                                     TIGTA did not offer any recommendations. IRS\nrelational database that will store all individual\n                                                     officials were provided with an opportunity to\ntaxpayer account data. It is in the testing phase\n                                                     review and comment on the report.\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               September 28, 2012\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                         Michael E. McKenney\n                               Acting Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Annual Assessment of the Internal Revenue\n                               Service Information Technology Program (Audit # 201220010)\n\n This report presents the results of our annual assessment of the Internal Revenue Service (IRS)\n Information Technology Program. The overall objective of this review was to perform an\n evaluation of the adequacy and security of the technology of the IRS since August 1, 2011, as\n required by the IRS Restructuring and Reform Act of 1998.1 This audit is included in the\n Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2012 Annual Audit Plan and\n addresses the major management challenge of Modernization.\n Copies of this report are also being sent to the IRS managers affected by the report findings.\n Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n 1\n  Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n\x0c                                Annual Assessment of the Internal Revenue Service\n                                         Information Technology Program\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          Systems Modernization and Applications Development Background ......... Page 6\n          Improved Controls Are Needed to Ensure Long-Term Success for\n          Two Key Systems Within the Modernization Program ................................ Page 8\n          Achieving Program Efficiencies and Cost Savings ...................................... Page 12\n          Development and Implementation of New Systems for the Patient\n          Protection and Affordable Care Act Provisions Present Major\n          Information Technology Management Challenges ....................................... Page 13\n          Information Security Background................................................................. Page 15\n          Progress Is Being Made to Improve Information Security and\n          Personnel Safety............................................................................................ Page 16\n          Continued Management Attention Is Needed to Address Weaknesses\n          in Information and Physical Security ............................................................ Page 18\n          Information Technology Operations Background ........................................ Page 24\n          Information Technology Operational Efficiency Continues to\n          Improve, but Additional Improvements Are Needed ................................... Page 24\n          The Information Technology Organization Is Effectively Working\n          Human Capital Issues, but Additional Improvements Are Needed .............. Page 25\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 29\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 30\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 31\n          Appendix IV \xe2\x80\x93 List of Treasury Inspector General for Tax\n          Administration Reports Reviewed ................................................................ Page 32\n\x0c                     Annual Assessment of the Internal Revenue Service\n                              Information Technology Program\n\n\n\nAppendix V \xe2\x80\x93 Number of Internal Revenue Service Information\nTechnology Employees ................................................................................ Page 35\nAppendix VI \xe2\x80\x93 Glossary of Terms ................................................................ Page 36\n\x0c         Annual Assessment of the Internal Revenue Service\n                  Information Technology Program\n\n\n\n\n                    Abbreviations\n\nACA          Patient Protection and Affordable Care Act\nACIO         Associate Chief Information Officer\nCADE 2       Customer Account Data Engine 2\nCTO          Chief Technology Officer\ne-File       Electronic Filing\nEUES         End User Equipment and Services\nFY           Fiscal Year\nGAO          Government Accountability Office\nIRDM         Information Reporting and Document Matching\nIRS          Internal Revenue Service\nIT           Information Technology\nMeF          Modernized e-File\nTIGTA        Treasury Inspector General for Tax Administration\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) Restructuring and Reform Act of 19981 requires the\nTreasury Inspector General for Tax Administration (TIGTA) to evaluate the adequacy and\nsecurity of the IRS\xe2\x80\x99s Information Technology (IT) Program annually. This report provides our\nassessment of the IRS\xe2\x80\x99s IT Program and its operations for Fiscal Year (FY)2 2012.\nEach year, the IRS collects more than $2 trillion in tax revenue and manages about 220 million\nindividual taxpayer accounts and more than 40 million business taxpayer accounts.3 The IRS\nreceives as many as 20 million inquiries from taxpayers during the peak week of the filing season.\nFurther, the Federal tax code includes more than 44,000 pages and is updated based on more\nthan 200 tax law changes enacted each year. According to the Draft IRS IT Business Plan\nFYs 2011\xe2\x80\x932013, the primary business challenges that the IRS faces include:\n    \xef\x82\xb7    Increasing complexity of tax administration due to the breadth of existing tax laws and\n         annual tax code changes from new legislation.\n    \xef\x82\xb7    Growing human capital challenges due to an aging staff and 39 percent of its executives\n         nearing retirement.\n    \xef\x82\xb7    Keeping up with the explosion in electronic data with online interactions and related\n         security risks as technologically perceptive taxpayers and employees are increasingly\n         using online tools.\n    \xef\x82\xb7    Accelerating globalization from increasing taxpayer and corporate foreign income\n         requires experience and tools in international tax administration.\n    \xef\x82\xb7    Expanding role of tax practitioners and other third parties in the tax system as\n         individuals increasingly use outside help, such as tax preparers and software.\n    \xef\x82\xb7    Maintaining the technology of the legacy systems used to perform core IRS processes,\n         which will require effort and skill.\n    \xef\x82\xb7    Complying with the mandate to ensure the security and privacy of taxpayer personal and\n         financial information, IRS infrastructure, and IRS applications.\n    \xef\x82\xb7    Improving operational efficiency amid increasing budget constraints by optimizing\n         existing technology and prudently planning future technology.\n\n1\n  Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n2\n  See Appendix VI for a glossary of terms.\n3\n  IRS IT Draft Business Plan FYs 2011\xe2\x80\x932013.\n                                                                                                              Page 1\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nThe IRS reported that the 2012 Filing Season was a key turning point in modernizing the IRS\ntechnology infrastructure and instituting processes to deliver outstanding tax administration\nservices to the American public.4 To align with these milestones, effective July 1, 2012, the\nModernization and Information Technology Services organization changed its name to the IRS\nInformation Technology organization. The IRS reports that the name change reflects a shift in\nthe organization\xe2\x80\x99s way of thinking and operating as it collaborates with the business and\nfunctional operating divisions to deliver the IRS\xe2\x80\x99s mission. Instead of modernization being\ntreated as a separate and distinct strategic offering within the IRS IT organization, it will now be\nincorporated into the overall portfolio.\nThe IRS Chief Technology Officer (CTO) is responsible for advising the Commissioner on all IT\nmatters, managing the IRS\xe2\x80\x99s information system resources, and delivering and maintaining\nmodernized information systems throughout the IRS. The following Associate Chief\nInformation Officer (ACIO) offices support the CTO:\n    \xef\x82\xb7   Applications Development is responsible for building, testing, delivering, and\n        maintaining integrated software solutions to support modernized systems that manage\n        taxpayers\xe2\x80\x99 accounts, interactions with taxpayers, and potential audit and collection\n        activities.\n    \xef\x82\xb7   Enterprise Services is responsible for strengthening the technology infrastructure\n        across the enterprise and for defining how the enterprise-wide data environment is\n        organized, identified, shared, and reused.\n    \xef\x82\xb7   Strategy and Planning is collaborating with IT leadership and external stakeholders\n        to provide policy, direction, and administration of essential programs. Strategy and\n        Planning ensures selection, planning, and management of an IT investment portfolio.\n    \xef\x82\xb7   End-User Equipment and Services (EUES)5 provides IT products and support\n        services to IRS end-users. It is the single point of accountability for personal\n        computing, help desk support, asset management, local area networks, and telephone\n        communications support.\n    \xef\x82\xb7   Enterprise Networks manages the design and engineering of the IRS\xe2\x80\x99s\n        telecommunications environment and is responsible for developing the long-range\n        enterprise network strategy and managing telecommunications projects.\n    \xef\x82\xb7   Enterprise Operations supports the mainframe and server environment for all IRS\n        business entities and taxpayers. Enterprise Operations is developing the new\n        enterprise-wide development and test environment and is establishing\n        maximum security management.\n4\n IRS Name Change Guidance dated June 28, 2012.\n5\n On April 22, 2012, the EUES organization merged with the Enterprise Networks organization to form the User and\nNetwork Services organization.\n                                                                                                       Page 2\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n    \xef\x82\xb7   Cybersecurity ensures the IRS\xe2\x80\x99s compliance with Federal statutory, legislative, and\n        regulatory requirements governing measures to assure the confidentiality, integrity,\n        and availability of IRS electronic systems, services, and data.\n    \xef\x82\xb7   Affordable Care Act Program Management Office is responsible for managing the\n        strategic planning, development, and implementation of new information systems\n        supporting IRS business requirements under provisions of the Patient Protection and\n        Affordable Care Act (ACA).6\n    \xef\x82\xb7   Management Services works with information technology leadership to define and\n        implement human capital policies and guidance.\n    \xef\x82\xb7   The Modernization Program Management Office leads the Customer Account Data\n        Engine 2 (CADE 2) system development efforts.\nThe IRS IT organization\xe2\x80\x99s FY 2012 budget was more than $2.1 billion, of which\n$330.21 million was for Business Systems Modernization. The IRS appropriations language\nin H.R. 2055,7 dated January 5, 2011, specifies that the IRS Business Systems\nModernization program include the CADE 2 and Modernized e-File (MeF) systems\xe2\x80\x99\ninvestments. Figure 1 provides a breakdown of the FY 2012 budget supporting the IRS IT\norganization by specific funds.\n\n\n\n\n6\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered section of the U.S. Code), as amended\nby the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n7\n  Consolidated Appropriations Act, 2012, H.R 2055-103, 112th Cong. (2012).\n                                                                                                           Page 3\n\x0c                              Annual Assessment of the Internal Revenue Service\n                                       Information Technology Program\n\n\n\n                                 Figure 1: IRS Information Technology\n                                        FY 2012 Budget by Fund\n\n                                                                   Operations\n                                                                 Support ACIOs                    FY 2012\n              IRS Information Technology                         FY 2012 Budget                   Budget\n    Applications\xc2\xa0Development\xc2\xa0                                   $458,812,276\xc2\xa0\n    Enterprise\xc2\xa0Services\xc2\xa0                                        $63,041,742\xc2\xa0\n\n    Strategy\xc2\xa0and\xc2\xa0Planning\xc2\xa0                                      $42,439,223\xc2\xa0\n    User\xc2\xa0and\xc2\xa0Network\xc2\xa0Services\xc2\xa0                                  $429,600,475\xc2\xa0\n\n    Enterprise\xc2\xa0Operations\xc2\xa0                                      $351,076,320\xc2\xa0\n\n    Cybersecurity\xc2\xa0                                              $129,221,937\xc2\xa0\n    Other\xc2\xa0Associate\xc2\xa0Chief\xc2\xa0Information\xc2\xa0Officers\xc2\xa0(ACIO)\xc2\xa0          $334,034,859\xc2\xa0\n\n        Total\xc2\xa0Operations\xc2\xa0Support\xc2\xa0Fund\xc2\xa0                                                  \xc2\xa0 $1,808,226,832\xc2\xa0\n\n        Affordable\xc2\xa0Care\xc2\xa0Act\xc2\xa0Fund\xc2\xa0                                                       \xc2\xa0 $33,838,291\xc2\xa0\n\n        Business\xc2\xa0Systems\xc2\xa0Modernization\xc2\xa0Fund\xc2\xa0                                            \xc2\xa0 $330,210,000\xc2\xa0\n\n        Return\xc2\xa0Preparer\xc2\xa0Initiative\xc2\xa0Fund\xc2\xa0                                                \xc2\xa0 $681,527\xc2\xa0\n\n        User\xc2\xa0Fees\xc2\xa0Fund\xc2\xa0\xc2\xa0                                                                \xc2\xa0 $220,000\xc2\xa0\n\n        Reimbursable\xc2\xa0Fund\xc2\xa0                                                              \xc2\xa0 $4,469,311\xc2\xa0\n\n    Total\xc2\xa0IRS\xc2\xa0Information\xc2\xa0Technology\xc2\xa0FY\xc2\xa02012\xc2\xa0Budget\xc2\xa0                                    \xc2\xa0 $2,177,645,961\xc2\xa0\nSource: IRS IT, Strategy and Planning ACIO, Financial Management Services, February 2012.\n\nAs of June 30, 2012, the IRS IT organization employed 7,228 individuals. Appendix V\nprovides a breakdown of the number of IRS IT employees by their respective functions. As of\nMay 30, 2012, the IRS IT organization also employed almost 2,000 contractors.\nThe compilation of information for this report was conducted at the TIGTA office in\nAtlanta, Georgia, during the period June through August 2012. We considered TIGTA reports\nissued to the IRS between August 1, 2011, and September 30, 2012,8 as well as reviewed\nrelevant reports published by the Government Accountability Office (GAO), IRS Oversight\nBoard, National Taxpayer Advocate, and the IRS. In addition, we considered congressional\ntestimonies.\n\n\n8\n    Please see Appendix IV for a list of TIGTA audit reports used in this assessment.\n                                                                                                            Page 4\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nOur audit work was conducted in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfinding and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                          Page 5\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\n\n                                        Results of Review\n\nSystems Modernization and Applications Development Background\nThe Business Systems Modernization Program (Modernization Program) is a complex effort to\nmodernize IRS technology and related business processes. It involves integrating thousands of\nhardware and software components while replacing outdated technology and maintaining the\ncurrent tax system. Successful modernization of IRS systems and the development and\nimplementation of new IT applications is necessary to meet evolving business needs. The IRS\nbudget for FY 2012 includes $330.21 million to remain available until September 30, 2014, for\n\xe2\x80\x9cnecessary expenses of the Internal Revenue Service\xe2\x80\x99s business systems modernization\nprogram.\xe2\x80\x9d Such expenses include the capital asset acquisition of information technology\nsystems, including management and related contractual costs of said acquisitions (and related\nIRS labor costs) and contractual costs associated with authorized operations.\nFactors that characterize the IRS\xe2\x80\x99s complex information technology environment include widely\nvarying inputs from taxpayers (from simple concise records to complex voluminous documents),\nseasonal processing with extreme variations in processing loads, transaction rates on the order of\nbillions per year, and data storage measured in trillions of bytes. Goals for the Modernization\nProgram include the following:\n      \xef\x82\xb7    Issuing refunds, on average, five days faster than existing legacy systems.\n      \xef\x82\xb7    Offering electronic filing (e-file) capability for individuals, large corporations, small\n           businesses, tax-exempt organizations, and partnerships with dramatically reduced\n           processing error rates.\n      \xef\x82\xb7    Delivering web-based services for tax practitioners, taxpayers, and IRS employees.\n      \xef\x82\xb7    Providing IRS customer service representatives with faster and improved access to\n           taxpayer account data with real-time data entry, validation, and updates of taxpayer\n           addresses.\nLast year was the first year since 1995 that the IRS did not identify and report the Modernization\nProgram as a material weakness under the Federal Financial Management Improvement Act.9 In\nJune 2011, the IRS Commissioner certified, in a memorandum to the Department of the\nTreasury\xe2\x80\x99s Assistant Secretary for Management and Chief Financial Officer, that the internal and\nmanagement control weaknesses contributing to the material weakness had been fully addressed.\nBased on achievements at that time, the IRS concluded that issues raised related to the early\n\n9\n    Pub. L. No. 97-255 \xe2\x80\x93 (H.R. 1526).\n                                                                                                  Page 6\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nmodernization programs and the management processes and controls in place for the\nModernization Program were no longer a material weakness for the IRS. While we supported\nthe IRS\xe2\x80\x99s decision last year based on the accomplishments and preliminary results at the time,\nbased on our current assessment of the IRS\xe2\x80\x99s IT Program, we believe the Modernization Program\nremains a major risk. Further, we suggest that the IRS continue to stress improvements in its\noverall control processes and performance, including developing and implementing successful\nnew systems and applications that are necessary to meet IRS\xe2\x80\x99s mission-critical goals and\ncapabilities.\nIn June 2012, the GAO reported10 that the IRS\xe2\x80\x99s challenge in addressing its material weakness in\ninternal controls over unpaid assessments resulted from three specific control deficiencies:\n(1) inability to rely on its general ledger and underlying subsidiary records to report in\naccordance with Federal accounting standards without significant compensating procedures;\n(2) inability to trace reported taxes receivable to supporting transactions and maintain an\neffective transaction-based subledger for unpaid assessment transactions; and (3) inability to\neffectively prevent or timely detect and correct errors in taxpayer accounts. In its report, the\nGAO concluded that these conditions were caused \xe2\x80\x9cprimarily by IRS\xe2\x80\x99s continued reliance on\nsoftware applications that were not designed to provide accurate, complete, and timely\ntransaction-level financial information, as well as errors in taxpayer accounts.\xe2\x80\x9d Further, the\nGAO stated, \xe2\x80\x9cThese problems are likely to continue to exist until these software applications are\neither significantly enhanced or replaced, and IRS remedies the control deficiencies that continue\nto result in significant errors in taxpayer accounts.\xe2\x80\x9d\nThe IRS Oversight Board recently stressed the importance of the IRS Modernization Program\nand emphasized the continuing need for a modern IT system as the foundation for major\nincreases in IRS efficiency and reduced taxpayer burden through Electronic Tax\nAdministration.11 The Oversight Board\xe2\x80\x99s vision for Electronic Tax Administration is a tax\nadministration system that provides secure, convenient, timely, and accurate services to\ntaxpayers and to the tax professionals and IRS employees who serve them. The Oversight Board\nhas approved two long-term goals that it uses to measure the IRS\xe2\x80\x99s progress in modernizing\nitself: (1) the rate at which taxpayers electronically file their tax returns and (2) the successful\nand timely delivery of the CADE 2 and MeF systems.\nThe IRS\xe2\x80\x99s National Taxpayer Advocate reported to Congress that:\n        CADE 2 is expected to resolve many computational problems. Beginning January 2012,\n        the IRS will roll out an extensive system modernization known as CADE 2, that will\n        permit the Individual Master File to accept and post taxpayer account updates every\n        business day. Instead of waiting two weeks for payments to post, it will only take from\n\n10\n   GAO, GAO-12-695, Status of GAO Financial Audit and Related Financial Management Recommendations,\npp. 7\xe2\x80\x938 (June 2012).\n11\n   IRS Oversight Board Annual Report to Congress 2011, p. 37 (May 2012).\n\n                                                                                                 Page 7\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n           48 hours to a week. Ultimately, CADE 2 will replace the more than 50-year-old system\n           the IRS now uses to process tax return data. The new database and its related\n           applications will, over time, replace the IMF [Individual Master File] and the BMF\n           [Business Master File] as the IRS system of record for taxpayer accounts and will speed\n           the transition from the multiple systems that now manage taxpayer accounts to one\n           comprehensive system. The IRS anticipates that the January 2012 release of CADE 2\n           and the availability of real-time data will eliminate some account [sic] restricting for\n           interest and certain interest accruals and will increase timeliness of taxpayer account\n           data. For this reason, it is important that CADE 2 continue to develop, roll out, and\n           operate as planned.\nAt that time, the National Taxpayer Advocate also recognized that the IRS had recently\nimplemented several technology enhancements that can assist taxpayers to obtain information\nmore easily. This includes a new phone application, IRS2Go, which can be downloaded to a\nsmartphone for free. Taxpayers can use IRS2Go for a number of things, including checking the\nstatus of their tax refund and subscribing to tax tips.\n\nImproved Controls Are Needed to Ensure Long-Term Success for Two\nKey Systems Within the Modernization Program\n\nMeF system\nThe MeF system is a critical component of the IRS initiative to meet the needs of taxpayers,\nreduce taxpayer burden, and broaden the use of electronic interactions. Unresolved performance\nissues with MeF Release 7.0 and planned Calendar Year 2012 infrastructure changes for the IRS\nhave impaired efforts to retire the existing Legacy e-File system and delayed plans for receiving\nemployment tax forms through MeF Release 8.0.12\nOver the last calendar year, the IRS took important steps to increase the volume of returns\ntransmitted to the MeF system and increased the number of vendors\xe2\x80\x99 software packages available\nto transmit electronic tax returns. However, our audit found that unresolved performance issues\nwith MeF Release 7.0 existed as of its deployment. In addition, the IRS IT organization is\nplanning significant infrastructure changes in Calendar Year 2012 that will introduce uncertainty\nand may affect the MeF system\xe2\x80\x99s reliability. Further, the IRS has not developed a retirement\nplan for the existing Legacy e-File system, including measurable shutdown conditions for that\nsystem, even though it was scheduled to be retired in October 2012. Finally, the MeF system has\nnot yet fully demonstrated the ability to process all electronically filed returns for a filing season,\nprojected to be more than 121 million combined individual and business returns.\nTo address these findings, we recommended that the CTO: (1) advise the Wage and Investment\nDivision to defer the retirement of the Legacy e-File system until the increased risk associated\n12\n     See Appendix IV, Reference Number 2012-20-121.\n                                                                                               Page 8\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nwith retiring the system can be addressed; (2) update the Internal Revenue Manual to include\nimproved performance testing processes, ensure system performance test teams obtain approved\nwaivers or deferrals when performance tests are not executed, and ensure performance test teams\nsubmit End of Test Status Reports for senior management review; and (3) advise the Wage and\nInvestment Division to complete a retirement plan for the Legacy e-File system, as well as\ncommunicate retirement milestones and a timeline to key stakeholders.\nIn their response to the report, IRS officials partially agreed with the recommendations. The IRS\nplans to develop a contingency plan for the MeF system and to update the Internal Revenue\nManual as needed. The IRS has also revised its timeline to retire the Legacy e-File system.\nHowever, IRS management did not concur with our recommendation to develop a retirement\nplan for the Legacy e-File system that includes associated implementation dates and monitoring\nprocesses.\n\nCADE 2 system\nThe January 2012 implementation of the CADE 2 system daily processing capabilities, which\nprovide individual taxpayer account information to downstream IRS systems on a daily basis,\nenabled the IRS to process tax returns for individual taxpayers more quickly by replacing\nexisting weekly processing. This key modernization system will include a centralized database\nof individual taxpayer accounts, allowing IRS employees to view tax data online and provide\ntimely responses to taxpayers. The successful implementation of the CADE 2 system is intended\nto significantly improve services to taxpayers and significantly enhance IRS tax administration.\nThe IRS initiated systems development testing of the CADE 2 system, reduced the risks to the\nfiling season by implementing independent contractor recommendations, and performed\nsimulated exercises to identify potential issues that could occur during the filing season.\nHowever, we found that improvements are needed in key controls and processes for\nrequirements management, process testing, and security testing to ensure the long-term success\nof the CADE 2 system.13 TIGTA recommended that the CTO take necessary steps to ensure:\n       \xef\x82\xb7 Test cases and other appropriate documentation are properly developed for infrastructure\n         requirements.\n       \xef\x82\xb7 All infrastructure documentation includes complete traceability to the requirements being\n         tested and the testing results.\n       \xef\x82\xb7 IRS testers obtain and maintain documentation to verify test results.\n       \xef\x82\xb7 Test execution practices are consistent.\n       \xef\x82\xb7 All system security requirements and corresponding test cases are identified and\n         sufficiently traced, managed, and tested.\n\n13\n     See Appendix IV, Reference Number 2012-20-122.\n                                                                                            Page 9\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n       \xef\x82\xb7 All database issues identified by vulnerability scanning are resolved or an action plan is\n         developed with specific corrective actions and associated time periods for completion.\n       \xef\x82\xb7 All issues identified by source code security review scans are resolved and an action plan\n         is developed with specific corrective actions and associated time periods for completion\n         prior to the code being placed into service.\nIn management\xe2\x80\x99s response to the report, the IRS partially disagreed with three of our eight\nrecommendations. The IRS disagreed with developing an enterprise-wide program-level\nRequirements Traceability Verification Matrix and policy. We believe, however, that an\nenterprise-wide approach is needed to strengthen oversight of traceability controls. Also, the\nIRS stated that automated tools are not always needed for control of requirements and test case\nmanagement for IT systems development. We maintain that the use of one suite of integrated\nautomated tools would provide needed control over volumes of requirements and test cases for\nIRS systems, including the monumental CADE 2 systems development initiative. Lastly, the\nIRS responded that additional CADE 2 documentation is not needed to ensure complete\ntraceability of requirements to test results. Specifically, the IRS stated that adequate\ndocumentation already exists with Government Equipment Lists and environmental checklists.\nHowever, as stated in our report, while this documentation does verify infrastructure components\nhave been acquired and implemented, it does not verify that all CADE 2 processing requirements\nhave been tested.\nFurther, it is critical for the IRS to accurately execute, monitor, and assess performance and\ncapacity testing for the CADE 2 because these controls directly affect whether, after\nimplementation, the system will be capable of processing the necessary quantity and types of\ninformation within required time periods. This is needed to avoid possible delays with taxpayer\nrefunds and degraded customer service. As part of the CADE 2 systems development process,\nthe IRS established a testing environment for the CADE 2 system that was representative of the\nexisting production environment. This approach allowed the IRS to obtain meaningful data from\nits preproduction tests. However, the IRS did not follow procedures to ensure that performance\nrequirements were completely tested during the Final Integration Test Phase I.14 As a result, the\nIRS may not have acquired all the necessary information to make a fully informed decision on\nthe ability of the CADE 2 system to effectively process transactions under expected normal and\npeak workload conditions within acceptable response time thresholds. To address specific\ncontrol weaknesses with system performance testing, we recommended that the ACIO,\nApplications Development, take steps to ensure internal controls for testing performance and\ncapacity requirements are formally and effectively implemented to ensure the traceability of\nthese requirements through the performance testing process.\nOne of the primary goals of the CADE 2 system is for it to be a trusted source of data for the IRS\nand taxpayers. To provide this, the system requires a stable design to support tax processing\n\n14\n     See Appendix IV, Reference Number 2012-20-051.\n                                                                                             Page 10\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nfunctions and ensure complete and accurate data. The database implementation project will\nestablish a relational database that will store all individual taxpayer account data. It is currently\nin the testing phase and is expected to be placed into production in late 2012. However, we\ndetermined that data integrity testing completed did not provide assurance that CADE 2 system\ndata are consistently accurate and complete.15 Also, the CADE 2 system database design has not\nfully met initialization, daily update, and downstream interface needs. In June 2012, the IRS\nacknowledged that it was having problems with its CADE 2 system database interface to the\nIntegrated Data Retrieval System Taxpayer Information File. As a result, the IRS is reevaluating\nits data strategy for feeding downstream systems and is considering delaying the interface. The\nIRS spent about $22.3 million on database implementation, which included developing\nVersion 2.2 of the CADE 2 database. However, the IRS does not track cost at the development\nactivity level and, consequently, we could not determine the actual cost for the new version of\nthe CADE 2 database. Enhanced security is also a primary goal for the CADE 2 system.\nHowever, vulnerabilities in the JAVA code could result in loss of sensitive taxpayer information.\nThe IRS agreed with three and partially agreed with one of the seven recommendations, and\ncorrective actions are planned. However, the IRS disagreed with three of our recommendations\nto: (1) ensure that the database design process follows the Internal Revenue Manual and validate\nthat the database design meets business requirements, (2) realign data validation and testing\nefforts with business functionality and processes, and (3) disable or remove sample tables and\ndefault ports prior to the CADE 2 Program exiting Transition State 1. The IRS believes that its\ncurrent development and testing processes are sufficient to address recommendations 1 and 2.\nFor recommendation 3, the IRS will consider changing the default port as part of an enterprise\nrisk mitigation remediation plan, while the IRS management\xe2\x80\x99s response is silent on what actions,\nif any, the IRS will take regarding sample tables.\nA final matter for careful consideration regarding the CADE 2 system is an announcement16 from\nthe CADE 2 Governance Board in July 2012. The announcement noted that in January 2012, the\nIRS made history, delivering a daily processing capability for individual taxpayers after\n50+ years on a weekly cycle. The announcement also highlighted that in March 2012 the IRS\n\xe2\x80\x9cdelivered a new state-of-the-art database, loaded with over 270 million taxpayer accounts and\nover a billion tax modules\xe2\x80\x9d as an \xe2\x80\x9cimmediate leap forward for the IRS from a technology\nstandpoint.\xe2\x80\x9d However, the Governance Board also stated \xe2\x80\x9cthere is much more to be done, and\nnow more than ever, we need all hands on deck to reach our September delivery for Database\nImplementation.\xe2\x80\x9d Despite several specific progress areas for the CADE 2 system that are noted\nin the Board\xe2\x80\x99s announcement, the IRS openly acknowledged that \xe2\x80\x9cthe program has also\nexperienced delays across Database Implementation, and there is a clear risk of further schedule\ndelays.\xe2\x80\x9d\n\n\n15\n     See Appendix IV, Reference Number 2012-20-109.\n16\n     Message from the Governance Board: CADE 2 Database Implementation (July 2, 2012).\n                                                                                             Page 11\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nThe following specific challenges and risk mitigation strategies for the CADE 2 system were\nidentified by the IRS as being underway:\n   \xef\x82\xb7   Establishing clarity around points of accountability, integration, and priorities for the\n       various functions and key players to help meet the September 2012 deliverable, with\n       expanded leadership from the Program Management Office to drive those\n       accountabilities.\n   \xef\x82\xb7   Addressing resources, both personnel and hardware, that can be reallocated to the highest\n       priorities for the September 2012 deployment.\n   \xef\x82\xb7   Instituting working norms to rationalize meeting attendance and reduce fragmentation of\n       employee focus.\n   \xef\x82\xb7   Rapidly updating, communicating, and maintaining an accurate high-level schedule to\n       facilitate decision making as changes in progress occur.\n   \xef\x82\xb7   Incorporating several broader lessons learned with CADE 2 system execution.\n\nAchieving Program Efficiencies and Cost Savings\nGiven the current economic environment and the increased focus by the Administration,\nCongress, and the American people on Federal Government accountability and efficient use of\nresources, the American people must be able to trust that their Government is taking action to\nstop wasteful practices and ensure that every tax dollar is spent wisely. This major management\nchallenge relates directly to IT capital planning and investment management controls for the\nIRS\xe2\x80\x99s systems and applications. As part of our annual assessment of the status of the IRS\xe2\x80\x99s IT\nProgram, we considered the following information and reports that demonstrate the need for\nimprovements in program efficiencies.\nThe IRS FY 2012 budget includes $330.21 million to remain available until September 30, 2014,\nfor \xe2\x80\x9cnecessary expenses of the Internal Revenue Service\xe2\x80\x99s business systems modernization\nprogram.\xe2\x80\x9d Such expenses include the capital asset acquisition of information technology\nsystems, including management and related contractual costs of said acquisitions (and related\nIRS labor costs) and contractual costs associated with authorized operations. The Consolidated\nAppropriations Act of 2012 specifically requires the IRS to submit a quarterly report to the\nHouse and Senate Committees on Appropriations and the Comptroller General of the United\nStates detailing the cost and schedule performance for the CADE 2 system and the MeF system\nIT investments. The report should include the purposes and life-cycle stages of the investments,\nthe reasons for any cost and schedule variances, the risks of such investments and the strategies\nthe IRS is using to mitigate such risks, and the expected developmental milestones to be\nachieved and costs to be incurred in the next quarter.\n\n\n\n                                                                                            Page 12\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nWe reviewed, but did not verify, the quarterly status information provided by the IRS in\naccordance with the previously discussed budget provisions. In its most recent quarterly\nsubmission, the IRS included cost and schedule performance information for the CADE 2 and\nMeF programs as well as five other programs, as specified by the Act. The five other IRS\nprograms currently being tracked quarterly under the 2012 Modernization Program budget\nprovisions are the:\n     \xef\x82\xb7   Enterprise Data Access Strategy/Integrated Production Model.\n     \xef\x82\xb7   E-Services.\n     \xef\x82\xb7   Information Reporting and Document Matching (IRDM).\n     \xef\x82\xb7   IRS.gov.\n     \xef\x82\xb7   Return Review Program.\nIn January 2012, the GAO reported17 on weaknesses associated with the implementation of sound\ncost-estimating practices for IRS systems. In its report, the GAO concluded that the IRDM\xe2\x80\x99s\n2011 cost estimate, used to justify the program\xe2\x80\x99s projected budgets of $115 million for FYs 2012\nthrough 2016, generally does not meet best practices for reliability. The GAO review found that\nthe cost estimate minimally meets best practices for a well-documented estimate because the IRS\ndid not provide detailed support for staff resources and the cost estimate documentation justified\nonly about six out of the 86 requested Full-Time Equivalent staff for the IRDM, among other\nthings. If documentation does not provide source data or cannot explain the calculations\nunderlying the cost elements, the estimate\xe2\x80\x99s credibility may suffer. Also, the IRDM program\xe2\x80\x99s\nearned value management data did not meet data reliability criteria in the areas GAO reviewed.\nSpecifically, the IRDM project schedule was not properly sequenced, meaning activities were\nnot properly linked in the order in which they were to be carried out. In addition, surveillance\nwas not conducted on the IRDM\xe2\x80\x99s earned value management system, as required by the Office of\nManagement and Budget and the Department of the Treasury. Surveillance involves having\nqualified staff review an earned value management system. The GAO concluded that because\nthe IRDM\xe2\x80\x99s 2011 cost estimate is based on unreliable earned value management data, it does not\nprovide adequate support for the IRDM\xe2\x80\x99s budget requests.\n\nDevelopment and Implementation of New Systems for the Patient\nProtection and Affordable Care Act Provisions Present Major\nInformation Technology Management Challenges\nThe ACA contains an extensive array of tax law changes that will present a continuing source of\nchallenges for the IRS in the coming years. While the Department of Health and Human\nServices will have the lead role in the policy provisions of the ACA, the IRS will administer the\n17\n   GAO, GAO-12-59, Cost Estimate for New Information Reporting System Needs to Be Made More Reliable\n(Jan. 2012).\n                                                                                                  Page 13\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nlaw\xe2\x80\x99s numerous tax provisions. The IRS estimates that at least 42 provisions will either add to or\namend the tax code and at least eight will require the IRS to build new processes that do not exist\nwithin the current tax administration system. In addition, the IRS must create new or revise\nexisting tax forms, instructions, and publications; revise internal operating procedures; and\nreprogram major computer systems used for processing tax returns.\nTo address this emerging IT Program risk area, our annual IT assessment considered the broader\nplanning efforts underway in response to emerging legislative requirements for the IRS under the\nprovisions of the ACA. In June 2012, we reported18 that the tax-related provisions established by\nthe ACA affect millions of taxpayers and are key to meeting the primary legislative goal to\nreform health care. The ACA contains many provisions that are to be implemented over the\ncourse of several years, including some that required implementation during the year the\nlegislation was signed into law. Regarding the IRS\xe2\x80\x99s planning for the ACA, this audit found that\nappropriate plans had been developed to implement tax-related provisions of the ACA using\nwell-established methods for implementing tax legislation. The IRS\xe2\x80\x99s plans addressed tax forms,\ninstructions, and most affected publications, as well as employee training, outreach and guidance\nto taxpayers and preparers, computer programming, and data needed for ACA provisions.\nThe IRS projected its FY 2012 and 2013 ACA staffing needs to be 1,278 Full-Time Equivalents\nand 859 Full-Time Equivalents, respectively. The IRS has not yet projected staffing needs\nbeyond FY 2013. A lack of documentation to support the staffing requirements needed to\nimplement the ACA precluded the TIGTA from providing an opinion on the adequacy of staffing\nrequests. The IRS did not analyze each provision to determine the amount of staffing necessary\nto implement the provision. The TIGTA recommended that the IRS perform an analysis to\nevaluate the resources necessary to efficiently implement the provisions and ensure that this\nprocess is documented. The report stated that the IRS plans to complete an evaluation of the\nmajor ACA provisions for which implementation has not been completed and evaluate the\nresources needed for implementation, especially any with specialized skill needs, by the end of\nFY 2012.\nAlso in FY 2012, the GAO reported19 that the IRS had implemented one of its four\nrecommendations from June 2011, to strengthen implementation efforts for the ACA by\nscheduling the development of performance measures for the IRS ACA program. The GAO\xe2\x80\x99s\nreport noted that the IRS had made varying degrees of progress on the other three\nrecommendations: (1) develop program goals and an integrated project plan, (2) develop a cost\nestimate consistent with GAO\xe2\x80\x99s published guidance, and (3) assure that the IRS\xe2\x80\x99s risk\nmanagement plan identifies strategic-level risks and evaluates associated mitigation options.\n\n\n\n18\n  See Appendix IV, Reference Number 2012-43-064.\n19\n  GAO, GAO-12-690, Patient Protection and Affordable Care Act: IRS Managing Implementation Risks, but Its\nApproach Could Be Refined (June 2012).\n                                                                                                   Page 14\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nThe GAO report concluded that the IRS\xe2\x80\x99s revised risk management plan meets three of five\ncriteria for risk management plans, but the plan does not have specific guidance for evaluating\nand selecting potential risk mitigation options, such as how to (1) identify who conducts and\nreviews the analysis, (2) determine the availability of resources for a given strategy, and\n(3) document for future users the rationale behind decisions made.\nFurther, the GAO reported that the IRS\xe2\x80\x99s risk management plan was not used when the IRS\xe2\x80\x99s\nOffice of Chief Counsel was responsible for implementing two provisions the GAO reviewed.\nAlthough these provisions primarily required legal counsel and guidance, IRS officials said that\none of the provisions also affected IRS operations and could have risks that need to be managed.\nAdditionally, the GAO did not find evidence that a risk plan was used to track and mitigate risks\nwhen coordinating with partner agencies, such as the Department of Health and Human Services.\nWe agree with the GAO\xe2\x80\x99s conclusion that without a system for tracking shared risks, the IRS is\nmore likely to overlook risks or duplicate efforts.\n\nInformation Security Background\nAs our Nation\xe2\x80\x99s tax collector and administrator of the Internal Revenue Code, the IRS processed\nmore than 234 million tax returns, of which 143 million came from individuals during FY 2011.\nInformation from these tax returns is converted into electronic format. The IRS maintains\n178 computer system applications for use by IRS employees and relies extensively on\ncomputerized systems to support its tax administration and core business processes. As such,\neffective information systems security is essential to ensure that data are protected against\ninadvertent or deliberate misuse, improper disclosure, or destruction and that computer\noperations supporting tax administration are secured against disruption or compromise.\nThe IRS faces the daunting task of securing its computer systems against the growing and\ndiverse threats of cyberattacks. As such, the IRS must ensure that its computer systems are\neffectively secured to protect sensitive financial and taxpayer data. According to the Office of\nManagement and Budget\xe2\x80\x99s FY 2011 report to Congress on the implementation of the Federal\nInformation Security Management Act of 2002,20 the number of cyber incidents affecting Federal\nGovernment agencies increased approximately 5 percent in FY 2011, when agencies reported\n43,889 cyberattacks to the U.S. Computer Emergency Readiness Team, as presented in Figure 2.\n\n\n\n\n20\n  Pub. L. No. 107-347, Title III, 116 Stat. 2899, 2946-2961 (2002) (codified as amended in 44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x93\n3549).\n                                                                                                        Page 15\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n              Figure 2: Cyber Incidents Reported to the U.S. Computer\n             Emergency Readiness Team by Federal Agencies in FY 2011\n\n                                                          Number of              Percentage of\n                  Incident Category                       Incidents              Total Incidents\n\n     Malicious Code                                         11,626                     26.5%\n     Improper Usage                                          8,416                     19.2%\n     Unauthorized Access                                     6,985                     15.9%\n     Scans, Probes, and Attempted Accesses                   2,942                      6.7%\n     Denial of Service                                           30                     0.1%\n     Under Investigation/Other                              13,890                     31.6%\n     Total                                                   43,889                   100.0%\n    Source: The Office of Management and Budget\xe2\x80\x99s FY 2011 Report to Congress on the Implementation of\n    the Federal Information Security Management Act of 2002.\n\nFor FY 2012, we designated \xe2\x80\x9cSecurity for Taxpayer Data and Employees\xe2\x80\x9d as the top\nmanagement challenge for the IRS. This priority designation was given due to the increasing\nthreats, both cyber and physical, against the IRS; the need for the IRS to continue improving its\nsecurity posture; and the large volumes of data collected, processed, and maintained by the IRS.\nThe IRS is highly visible, with more than 100,000 employees and contractors working in more\nthan 700 facilities. Though animosity toward the IRS is nothing new, the February 2010 aircraft\nattack on an IRS facility in Austin, Texas, was a stark reminder of the dangers facing IRS\nemployees and highlights a surge in hostility toward the Federal Government. Also, the ongoing\npublic debate regarding the ACA and continued concerns over the country\xe2\x80\x99s recovering economy\ncould fuel threats against the Federal Government, including IRS employees, facilities, and\nsystems.\n\nProgress Is Being Made to Improve Information Security and\nPersonnel Safety\nThe Office of Cybersecurity within the IRS IT organization is responsible for protecting taxpayer\ninformation and the IRS\xe2\x80\x99s electronic systems, services, and data from internal and external cyber\nsecurity-related threats by implementing world-class security practices in planning,\nimplementation, risk management, and operations. In addition to providing policy and guidance,\nthe Cybersecurity organization continues to place a high priority on efforts to improve its\ninformation security program. For example, in the IRS\xe2\x80\x99s Strategic Plan for FYs 2009 to 2013\none of the major trends affecting the IRS is the \xe2\x80\x9cexplosion in electronic data, online interactions,\nand related security risks.\xe2\x80\x9d Another example of the IRS\xe2\x80\x99s commitment toward information\nsecurity is the IRS\xe2\x80\x99s IT Security Program Plan, issued in September 2009. The IT Security\n                                                                                                   Page 16\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nProgram Plan is designed to enhance collaboration, provoke thought and comment, and guide all\nsecurity efforts across the IRS community. In addition, it serves as a roadmap and a basis for\nbenchmarking information security performance toward attaining security objectives. Finally,\nsenior leaders of the IRS will be able to use the IT Security Program Plan as input to their\nstrategic business planning process. This plan is being updated to reflect the current\nenvironment and should be completed in September 2012.\nDuring FY 2012, we conducted several audits and found that the IRS is moving toward a more\neffective information security program.\n     \xef\x82\xb7   During our audit of the February 2010 aircraft attack at the IRS Austin facility, we found\n         the IRS adequately prepared for and took the necessary actions to evacuate and protect\n         IRS employees, secured taxpayer data and Federal Government property, and timely\n         resumed business operations following the incident.21 The IRS provided extensive\n         personnel services to assess and support affected employee needs, identified temporary\n         office space for the affected employees, awarded several procurements to support the\n         recovery effort in an expedited time period, and provided the furnishings and equipment\n         needed to resume work within 18 calendar days of the incident.\n     \xef\x82\xb7   During an inspection conducted by the TIGTA Office of Inspections and Evaluation on\n         the IRS\xe2\x80\x99s contract security guard workforce, we found that the IRS generally has controls\n         in place to ensure these security guards are suitable for employment in the 36 facilities\n         for which it was responsible.22\n     \xef\x82\xb7   As mandated by the Federal Information Security Management Act, we report annually\n         on the effectiveness of the IRS information security program. The Office of Management\n         and Budget and the Department of Homeland Security identified 11 information security\n         areas to be evaluated under the Federal Information Security Management Act review.\n         Based on our work during the reporting period July 2010 to June 2011, we determined\n         that the IRS information security program was generally compliant with Federal\n         Information Security Management Act legislation, Office of Management and Budget\n         requirements, and related information security standards.23 Specifically, the IRS met the\n         level of performance for seven program areas: risk management, incident response and\n         reporting, remote access management, continuous monitoring management, contingency\n         planning, contractor systems, and security capital planning. While the IRS was generally\n         compliant with the Federal Information Security Management Act legislation, the\n         program was not fully effective as a result of conditions identified in the remaining four\n         program areas: configuration management, security training, the process for managing\n         weaknesses, and identity and access management. These results were an improvement\n\n21\n   See Appendix IV, Reference Number 2012-10-074.\n22\n   See Appendix IV, Reference Number 2012-IE-R002.\n23\n   See Appendix IV, Reference Number 2011-20-116.\n                                                                                            Page 17\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n         from the previous year, when we found that the IRS met an effective level of\n         performance in only three areas: certification and accreditation, incident response and\n         reporting, and remote access management.\n     \xef\x82\xb7   During our audit of incident handling, we found that the Computer Security Incident\n         Response Center was effectively performing its duties and responsibilities to detect,\n         respond, and prevent computer security incidents.24 We also found that the Center has\n         sufficient tools and training to accomplish its mission.\n     \xef\x82\xb7   During our audit of patch management, we found that the IRS had established policy and\n         guidance for IRS organizations to carry out their respective responsibilities regarding\n         patch management. This policy was consistent with Federal guidance from the National\n         Institute of Standards and Technology, the Department of the Treasury, and industry best\n         practices. In addition, the IRS took steps to automate the installation and monitoring of\n         patching in a large segment of its Windows\xc2\xae environment.\n     \xef\x82\xb7   During our audit of two-factor authentication with Homeland Security Presidential\n         Directive-12 Personal Identity Verification cards, we found that the IRS updated its\n         implementation policies and developed a two-factor authentication system with the\n         required components.25 In addition, the technical specifications for the acquired products\n         met Federal standards.\nDespite this progress, the IRS needs to continue placing emphasis and attention on its\ninformation and physical security programs in order to ensure that policies, procedures, and\npractices adequately address security control weaknesses throughout the organization.\n\nContinued Management Attention Is Needed to Address Weaknesses\nin Information and Physical Security\n\nComputer security remains as a material weakness\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act of 198226 requires that each agency conduct\nannual evaluations of its systems of internal accounting and administrative controls and submit\nan annual statement on the status of the agency\xe2\x80\x99s system of management controls. In the event\nthat an agency determines the existence of shortcomings in operations or systems that severely\nimpair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare timely and\naccurate financial statements, the Department of the Treasury directs the agency to declare a\nmaterial weakness on that particular area.\n\n\n24\n   See Appendix IV, Reference Number 2012-20-019.\n25\n   See Appendix IV, Reference Number 2012-20-112.\n26\n   31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512.\n                                                                                           Page 18\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nIn Calendar Year 1997, the IRS designated computer security as a material weakness. The\ncomputer security material weakness compromises the accuracy and availability of the IRS\nfinancial information and places sensitive information regarding IRS operations and taxpayers at\nrisk. The IRS further categorized the computer security material weakness into nine\ncomponents: (1) network access controls; (2) key computer applications and system access\ncontrols; (3) software configuration; (4) functional business, operating, and program units\xe2\x80\x99\nsecurity roles and responsibilities; (5) segregation of duties between system and security\nadministrators; (6) contingency planning and disaster recovery; (7) monitoring of key networks\nand systems; (8) security training; and (9) certification and accreditation.\nAccording to the IRS, it has closed or completed all planned corrective actions for eight of the\nnine components, as shown in Figure 3.\n      Figure 3: Status of Computer Security Material Weakness Components\n                                                                                 Date Closed\n            Material Weakness Area                          Status              or to Be Closed\n\n   Area 1-1: Network Access Controls              All actions completed.    July 2010\n\n   Area 1-2: Application/System Access\n                                                  All actions completed.    December 2011\n             Controls\n\n   Area 1-3: System Software Configuration        All actions completed.    December 2011\n\n   Area 1-4: Security Roles and\n                                                  All actions completed.    March 2009\n             Responsibilities\n\n   Area 1-5: Security and System\n                                                  Closed.                   September 2004\n             Administration Segregation\n\n   Area 1-6: IT Contingency Planning              All actions completed.    December 2011\n\n   Area 1-7: Audit Trails                         Open.                     January 2014\n\n   Area 1-8: Security Training                    Closed.                   June 2008\n\n   Area 1-9: Certification and Accreditation      Closed.                   December 2008\n Source: The IRS\xe2\x80\x99s Computer Security Material Weakness Plan, updated as of December 7, 2011.\n\nSince our last annual assessment report where we cited that the IRS had closed or completed\ncorrective actions for five of the nine areas, the IRS reported that it had completed all corrective\nactions for three additional areas in December 2011. As early as June 2000, we have performed\nindependent validation assessments over individual areas of the computer security material\nweakness when requested by the IRS. These audits were specifically conducted to evaluate the\neffectiveness of actions completed and to provide an opinion on whether the IRS should close or\ndowngrade any areas of the computer security material weakness. The most recent IRS request\n\n                                                                                                  Page 19\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\ncame for the IT Contingency Planning area. Accordingly, we completed two audits to assess the\neffectiveness and completion of the IRS\xe2\x80\x99s corrective actions on the IT Contingency Planning\narea.27 As a result, we provided verbal concurrence to the IRS that it could either downgrade or\nclose this area, allowing the IRS to make the final determination.\nWe have not received any other requests to assess the effectiveness of completed corrective\nactions from the IRS on the Network Access Controls, Application/System Access Controls, or\nSystem Software Configurations areas. However, our audits conducted during FY 2012\ncontinued to identify weaknesses related to the computer security material weakness areas. The\nIRS agreed with the following findings and provided adequate corrective actions to address our\nfindings.\n     \xef\x82\xb7   During our audit of the CADE 2 system database implementation, we found that the IRS\n         did not correct security weaknesses identified through repeated database security\n         vulnerability scans.28 Specifically, these security weaknesses included privileged users\n         with unauthorized access to tables, packages, and files, which could result in loss of\n         taxpayer data. In addition, configuration weaknesses existed relating to default ports and\n         enabled demonstration tables, which could be exploited because default tables use default\n         account identification names, passwords, and ports.\n     \xef\x82\xb7   During our audit of patch management,29 we found that the IRS had not yet discovered all\n         the IT assets residing on its network and, therefore, cannot ensure all assets are\n         appropriately patched.30 We also found that, on several internal management reports, the\n         IRS continues to report missing patches and patches not being timely applied. For\n         example, in March 2012, the IRS\xe2\x80\x99s overall patch compliance rate for critical patches\n         averaged 88 percent for all reporting entities. The 12 percent noncompliance rate\n         translated to 23 critical patches not applied to IRS Windows servers, which resulted in\n         7,329 vulnerabilities remaining on these servers. These vulnerabilities could potentially\n         be exploited to gain unauthorized access to information, disrupt operations, or launch\n         attacks against other systems.\n     \xef\x82\xb7   Also during our audit of patch management, we found that the IRS network contained\n         outdated operating systems, which cannot be patched to correct known security\n         vulnerabilities. For example, we identified 65 obsolete Windows31 servers on the IRS\n         network. The IRS did not know why these servers were still operational and connected to\n\n\n27\n   See Appendix IV, Reference Number 2012-20-041 and TIGTA, Ref. No. 2011-20-060, Corrective Actions to\nAddress the Disaster Recovery Material Weakness Are Being Completed (June 2011).\n28\n   See Appendix IV, Reference Number 2012-20-109.\n29\n   Patch management is a component of the Systems Software Configuration area.\n30\n   See Appendix IV, Reference Number 2012-20-112.\n31\n   These 65 servers consisted of Windows NT servers (not supported by the Microsoft Corporation since\nDecember 31, 2004) and Windows 2000 servers (not supported by the Microsoft Corporation since July 13, 2010).\n                                                                                                      Page 20\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n         its network. Outdated operating systems are no longer supported by the vendor, which\n         means new vulnerabilities cannot be corrected and can be exploited.\n     \xef\x82\xb7   During our audit of IRS audit trails to detect unauthorized access by IRS employees,32 we\n         found that the IRS needs to ensure audit trails effectively support unauthorized access\n         investigations in order for the IRS to make further progress in addressing and resolving\n         the audit trail material weakness.33 As of March 2012, the audit trail repository system\n         where audit trails are maintained for monitoring efforts contained audit trails for only\n         20 systems. The IRS estimated that 339 systems or subsystems could potentially be\n         required to be monitored.\nIn addition, from April 2011 to March 2012, the GAO assessed whether controls over key\nfinancial and tax processing systems were effective in ensuring the confidentiality, integrity, and\navailability of financial and sensitive taxpayer information in conjunction with its audits of the\nIRS\xe2\x80\x99s FYs 2010 and 2011 financial statements. The GAO found that the IRS implemented\nnumerous controls and procedures intended to protect key financial and tax-processing systems;\nhowever, control weaknesses in these systems continue to jeopardize the security of financial and\nsensitive taxpayer information processed by the IRS\xe2\x80\x99s systems. Specifically, the IRS continues\nto face challenges in controlling access to its information resources. For example, it had not\nalways (1) implemented controls for identifying and authenticating users, such as requiring users\nto set new passwords after a prescribed time period; (2) appropriately restricted access to certain\nservers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and\nmonitored systems to ensure that unauthorized activities would be detected; or (5) ensured\nmanagement validation of access to restricted areas. In addition, unpatched and outdated\nsoftware exposed the IRS to known vulnerabilities, and the agency had not enforced backup\nprocedures for a key system.\nConsidered collectively, these deficiencies, both new and unresolved from previous GAO audits,\nalong with a lack of fully effective compensating and mitigating controls, impair the IRS\xe2\x80\x99s\nability to ensure that its financial and taxpayer information is secure from internal threats. This\nreduces the IRS\xe2\x80\x99s assurance that its financial statements and other financial information are fairly\npresented or reliable and that sensitive IRS and taxpayer information is being sufficiently\nsafeguarded from unauthorized disclosure or modification. These deficiencies are the basis of\nthe GAO\xe2\x80\x99s determination that the IRS had a material weakness in internal controls over financial\nreporting related to information security in FY 2011.\n\n\n\n\n32\n   Internal Revenue Code Section 6103 and the Taxpayer Browsing Protection Act of 1997 (26 U.S.C. \xc2\xa7\xc2\xa7 7213,\n7213A, and 7431) require the IRS to detect and monitor unauthorized access and disclosure of taxpayer data. The\nwillful unauthorized access or inspection of taxpayer records is a criminal offense.\n33\n   See Appendix IV, Reference Number 2012-20-099.\n                                                                                                        Page 21\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nOther security weaknesses adversely affect the IRS\xe2\x80\x99s ability to achieve effective\ninformation and physical security programs\nIn addition, we identified security weakness areas from across several audits during our reporting\nperiod.\n       \xef\x82\xb7   Physical security.\n           \xef\x83\x98 Because of the Austin aircraft attack, the IRS contracted for the completion of\n             in-depth physical security reviews of IRS facilities across the country to determine\n             how to improve its current security posture. During our audit of this contract, we\n             found that IRS employees did not properly administer the contract in compliance with\n             acquisition regulations and directed the contractor to perform services that were lesser\n             in scope than required by the contract.34 As a result, the contractor did not perform an\n             in-depth, independent assessment regarding the security posture of the IRS\xe2\x80\x99s\n             facilities. The noncompliance of contract deliverables could potentially impact the\n             IRS\xe2\x80\x99s ability to make informed decisions regarding its physical security and the need\n             for additional security enhancements.\n       \xef\x82\xb7   Remediation of security weaknesses.\n           \xef\x83\x98 The security weaknesses previously discussed on unauthorized access to privileged\n             user accounts from our review of the CADE 2 system database implementation were\n             the result of an ineffective process for remediating identified security weaknesses\n             during systems development. Database vulnerability scans in March 2012 identified\n             67 weaknesses, of which 49 were deemed critical and 18 were deemed major. A\n             comparison to a similar scan performed in December 2011 showed that the\n             weaknesses were repeat findings.\n           \xef\x83\x98 The security weakness previously discussed on missing critical patches from our\n             review of patch management were partly caused by insufficient monitoring processes\n             to ensure vulnerabilities resulting from unpatched systems were successfully and\n             timely remediated. Monitoring servers and workstations were performed manually\n             with self-reported results or conducted by an automated solution that had not been\n             properly implemented or was not working as intended.\n       \xef\x82\xb7   Lack of oversight or functional coordination on security-related issues.\n           \xef\x83\x98 During an inspection conducted by the TIGTA Office of Inspections and Evaluation\n             on the IRS\xe2\x80\x99s contract security guard workforce, we found that the IRS had\n             erroneously allowed 17 contract security guards to continue to work at an IRS facility\n             after their access authorization had expired.\n\n\n34\n     See Appendix IV, Reference Number 2012-10-075.\n                                                                                             Page 22\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n           \xef\x83\x98 During our audit of the CADE 2 system database implementation, we found that the\n             IRS hired two contractors to conduct source code reviews of the CADE 2 system\n             database; the contractors identified one high-risk and several moderate- and low-risk\n             weaknesses in October 2011. These weaknesses included Structured Query\n             Language injection, insufficient password management, incorrect logical operators,\n             and insufficient input validation. The CADE 2 Governance Board chose not to\n             correct these weaknesses, accepting the risks because the code was intended to be\n             used only once. However, we found the unsecure code was used multiple times in\n             testing and to initialize the production database in March 2012, and it will be used to\n             initialize the database in the summer of 2012. These weaknesses could cause a loss\n             of data and performance problems.\n           \xef\x83\x98 During our audit of incident handling, we found that 34 percent of servers within the\n             IRS network did not have host-based intrusion detection software installed.35\n             Host-based intrusion detection software allows the Computer Security Incident\n             Response Center to monitor and analyze network traffic for the purpose of detecting\n             suspicious activities. A lack of coordination between the Center and systems\n             administrators, who are responsible for installing the software, contributed to the\n             significant number of servers without this detection capability.\n           \xef\x83\x98 During our review of two-factor authentication with Homeland Security Presidential\n             Directive-12 Personal Identity Verification cards (referred to as SmartID cards by\n             the IRS), we found that the project encountered significant delays, putting the IRS\n             22 months behind its original planned completion date for implementing the new\n             two-factor authentication system.36 We also believe this project will be further\n             delayed due to inadequate progress being made on mandating the use of SmartID\n             cards, implementing two-factor authentication for administrators, enabling the use of\n             SmartID cards for authentication to applications, and configuring remote access\n             capabilities to use SmartID cards. We also found that required testing, including\n             security testing, was not conducted and that key enterprise lifecycle artifacts and\n             processes were not completed. Many of these weaknesses were attributed to a lack of\n             a project manager with the requisite training and experience to manage and oversee\n             the project.\nUntil the IRS addresses each computer security material weakness component with the necessary\nresources and funding and minimizes the existences of new security weaknesses, the IRS will\ncontinue to put the confidentiality, integrity, and availability of financial and taxpayer\ninformation maintained and processed on its computer systems and employee safety at risk.\n\n\n\n35\n     See Appendix IV, Reference Number 2012-20-019.\n36\n     See Appendix IV, Reference Number 2012-20-115.\n                                                                                             Page 23\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nInformation Technology Operations Background\nThe IRS IT organization plays an important role in helping the IRS meet its tax administration\nresponsibilities each year. It is not only responsible for the efficient and secure processing and\ntransfer of taxpayer data, but it also supports the needs of 100,000 employees who rely on\nequipment and system availability. The IRS needs to ensure that it leverages viable\ntechnological advances as it improves its overall operational environment.\nAccording to the Draft IRS IT Business Plan FYs 2011\xe2\x80\x932013, the IRS IT organization\xe2\x80\x99s vision is\nto become a world-class provider of IT services by focusing on people, processes, and\ntechnology. Because these components are interlinked, it is imperative to create an alignment\nbetween each of these three areas. Focusing on developing employees is the most important\nactivity. Then, focusing on process functions allows the IT organization to focus on activities\nthat add customer value while increasing operational efficiency and decreasing cost. Finally, the\nidentification and implementation of appropriate technology solutions provides a path to\norganizational success.\n\nInformation Technology Operational Efficiency Continues to Improve,\nbut Additional Improvements Are Needed\nDuring FY 2012, we conducted several audits of IT operations and found opportunities for the\nIRS to improve operational efficiency and effectiveness.\nDuring our audit to evaluate the effectiveness and efficiency of the IRS\xe2\x80\x99s efforts to consolidate\nand virtualize its servers, we found that by the end of FY 2011, the Server Consolidation and\nVirtualization Project team had succeeded in establishing a virtual Wintel server environment\nwith approximately 1,800 virtual servers running on 234 physical host servers at 13 data center\nlocations (nine campuses, three computing centers, and the New Carrollton Federal Building).\nThe goals of the project were successfully achieved on time and within budget.37 Reducing the\nnumber of physical servers has resulted in significant cost savings, associated with lower\nelectrical output for fewer servers, and hardware savings over a one-for-one server replacement.\nAs of the end of FY 2011, the IRS estimated that server virtualization had saved approximately\n$10.2 million in equipment costs. The IRS also expects to save approximately $1.3 million\nannually in decreased electrical costs beginning in FY 2013. The virtualized servers help lower\noperational costs through standardization, making it easier to load or remove a server from the\noperating environment. Other benefits of virtualization technology include decreased server\nhardware downtime and automatic load balancing.38\n\n\n37\n  See Appendix IV, Reference Number 2012-20-029.\n38\n  Automatic load balancing refers to the even distribution of processing across available resources such as servers in\na network.\n                                                                                                            Page 24\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nHowever, the Server Consolidation and Virtualization Project team did not include Wintel\nservers in IRS field offices outside of the 13 targeted locations. IRS management estimates\napproximately 650 of 1,000 Wintel servers in its field locations can be decommissioned and\nadded to the virtual server environment. By virtualizing the remote servers, IRS management\nestimates it could realize an additional savings of approximately $7.73 million ($7.26 million in\nequipment savings and $0.47 million in electrical savings over five years).\nDuring our audit to evaluate the effectiveness and efficiency of the new business processes, the\nimplementation of personnel placement, and mitigations associated with the reorganization of the\nEUES organization, we found that EUES organization management should introduce measures\nthat will help assess the cost effectiveness of the Customer Service Support Centers.39 Also,\nEUES organization management should mandate use of the password management tool. In\nFY 2010, the Service Desk performed 122,431 password resets, and in FY 2011, it performed\n130,806 password resets, with 12,000 of these occurring during a one-month period. These high\npassword reset rates occurred because management had not mandated the use of the password\nmanagement tool. Mandating the use of this tool will allow the IRS to achieve the full benefits\nfrom the tool while freeing up Service Desk employees to focus on resolving other complex\nissues and increasing its first contact resolution rate.\n\nThe Information Technology Organization Is Effectively Working\nHuman Capital Issues, but Additional Improvements Are Needed\nThe Human Capital Assessment and Accountability Framework identify five human capital\nsystems that together provide a consistent, comprehensive representation of human capital\nmanagement for the Federal Government. The Human Capital Assessment and Accountability\nFramework links human capital management to the merit system principles and other civil\nservice laws, rules, and regulations. The establishment of the Human Capital Assessment and\nAccountability Framework fulfills the Office of Personnel Management Chief Human Capital\nOfficers Act of 200240 to design systems and set standards, including appropriate metrics, for\nassessing the management of human capital by Federal agencies.\nWorkforce planning is a systematic process for identifying the human resources required to meet\nan agency\xe2\x80\x99s mission and goals and developing strategies to meet those requirements. According\nto the Office of Personnel Management,41 an effective workforce plan includes identifying the\nhuman capital required to meet organizational goals, conducting analysis to identify competency\ngaps, developing strategies to address human capital needs and close competency gaps, and\nensuring the organization is appropriately structured. An agency should approach workforce\n\n39\n   See Appendix IV, Reference Number 2012-20-086.\n40\n   5 U.S.C 1103 (c) and implemented under subpart b of 5 CFR part 250.\n41\n   The Office of Personnel Management, The Office of Personnel Management Human Capital Assessment and\nAccountability Framework Resource Center \xe2\x80\x93 Workforce Planning (Strategic Alignment System) (Sept. 2005).\n                                                                                                    Page 25\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nplanning strategically and in an explicit, documented manner. The workforce plan should link\ndirectly to the agency\xe2\x80\x99s strategic and annual performance plans and be used to make decisions\nabout structuring and deploying the workforce. One key element of workforce planning requires\na workload analysis to determine the size of the workforce needed to meet organizational goals\nand to identify gaps between current and future workforce needs before the new budget\nexecution cycle.\nThe IRS IT organization is striving to achieve the objective to \xe2\x80\x9cmake the IRS the best place to\nwork in government,\xe2\x80\x9d but managing the drivers of change becomes a workforce planning\nchallenge due to the following needed factors:\n       \xef\x82\xb7   Ability to compete as an employer in the external marketplace, as well as improve upon\n           hiring goals and processes.\n       \xef\x82\xb7   Continued improvement in tracking and forecasting workforce needs and changes.\n       \xef\x82\xb7   Continued improvement of employee engagement and identifying and developing its\n           future leaders of tomorrow.\n       \xef\x82\xb7   Ability to measure and respond to the results of its human resource plans and processes.42\nThe Internal Revenue Manual provides guidance and standards for establishing workforce\nplanning. Similar to the Office of Personnel Management model, Figure 5 shows four phases of\nthe IRS Strategic Workforce Planning model.\n\n\n\n\n42\n     See Appendix IV, Reference Number 2012-20-107.\n                                                                                             Page 26\n\x0c                              Annual Assessment of the Internal Revenue Service\n                                       Information Technology Program\n\n\n\n                        Figure 5: IRS Strategic Workforce Planning Model\n                               for Human Resources Management\n\n\n\n\n              Source: Internal Revenue Manual Exhibit 6.251.1-3, dated July 2003.\n\nDuring our audit to evaluate the effectiveness and efficiency of the new business processes, the\nimplementation of personnel placement, and mitigations associated with the reorganization of the\nEUES organization, we found that impacted employees were provided mitigation strategies\nduring placement into the reorganized EUES organization. Some of the mitigations or\nplacements offered included realignment, voluntary retirement/separation for those deemed\neligible, preference placement, voluntary or involuntary reassignment, and competitive\nplacement. The EUES organization established a baseline of 1,292 employees, of which\napproximately 1,100 were bargaining unit employees.43 As of December 2011, the EUES\norganization placed 1,211 of its employees into the new structure.\nIn addition, placed employees received training to handle new roles and responsibilities. The\nEUES organization management developed a comprehensive training curriculum for each\nposition within the various EUES functions. The curriculum detailed the training classes needed\nto successfully perform in a given job. An analysis of training records obtained from EUES\norganization management showed Service Desk and deskside employees received training within\n\n43\n     The baseline was established in October 2009.\n                                                                                        Page 27\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nthe parameters defined by the Memorandum of Understanding and National Treasury Employees\nUnion agreements to prepare them for their jobs.\nWe also interviewed six Service Desk employees regarding special training they might have\nreceived to prepare them for providing the first-line of customer service. We were informed that\nin addition to completing a two-week training course about the Service Desk, each was assigned\nan on-the-job training instructor to provide further assistance.\nDuring our audit to evaluate the IRS IT organization\xe2\x80\x99s workforce planning efforts to ensure that\nit had the human capital needed to deliver IT services and solutions that drive effective tax\nadministration, we found that the IT organization had conducted an extensive study to determine\nif any human resource contention risks existed related to its staffing demand forecasts and\ndeveloped mitigation strategies for areas of risk as appropriate. Although the IRS IT\norganization had a process for identifying its resource needs and gaps for completing its priority\nwork, the process primarily relied on management\xe2\x80\x99s knowledge and judgment about each\nindividual\xe2\x80\x99s skills and did not consider resource needs for other mission-related work. While\nthere are some automated personnel systems that provide IRS IT organization management with\ninformation about its employees, e.g., certifications obtained and educational holdings, there is\nnot a system within the IRS IT organization that provides information about skills and\ncompetencies associated with the various occupations. Without a competency database, IRS IT\norganization management cannot efficiently and effectively manage the skills of the workforce.\n\n\n\n\n                                                                                          Page 28\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n                                                                                                  Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe IRS Restructuring and Reform Act of 1998,1 in part, states that the TIGTA shall annually\nperform an evaluation of the adequacy and security of the technology of the IRS. To meet this\nobjective, the audit considered results from internal and external reports from August 1, 2011,\nthrough September 30, 2012, focusing on key programs and initiatives led by the CTO. Our\nsubobjectives were to:\nI.      Compile IRS IT Program-related audit findings and recommendations from TIGTA\n        reports and identify high-risk IT management issues affecting IRS efforts to achieve its\n        program goals and objectives.\nII.     Consider pertinent status information from other internal and external IRS oversight\n        organizations, including published reports.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We did not evaluate internal\ncontrols as part of this review because doing so was not necessary to satisfy our review\nobjective.\n\n\n\n\n1\n Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n                                                                                                             Page 29\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwendolyn McGowan, Director\nKent Sagara, Director\nDanny Verneuille, Director\nCarol Taylor, Audit Manager\nRyan Perry, Lead Auditor\nLouis Lee, Senior Auditor\nMike Mohrman, Information Technology Specialist\n\n\n\n\n                                                                                     Page 30\n\x0c                     Annual Assessment of the Internal Revenue Service\n                              Information Technology Program\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssistant Deputy Commissioner for Operations Support OS\nChief, Agency-Wide Shared Services OS:A\nDeputy Chief Information Officer for Operations OS:CTO\nDeputy Chief Information Officer for Strategy/Information Technology OS:CTO\nDeputy Commissioner, Services and Operations SE:W\nAssociate Chief Information Officer, Affordable Care Act (PMO) OS:CTO:ACA\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Networks OS:CTO:UNS\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Information Technology \xe2\x80\x93 Program Management Office\nOS:CTO:MP\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                   Page 31\n\x0c                    Annual Assessment of the Internal Revenue Service\n                             Information Technology Program\n\n\n\n                                                                        Appendix IV\n\n         List of Treasury Inspector General for\n         Tax Administration Reports Reviewed\n\n        Report\n       Reference\n       or (Audit)                                                          Report\nNo.     Number                        Report Title                     Issuance Date\n1     2011-20-116     Treasury Inspector General for Tax             September 20, 2011\n                      Administration \xe2\x80\x93 Federal Information\n                      Security Management Act Report for Fiscal\n                      Year 2011\n2     2011-10-098     The Internal Revenue Service Adequately        September 21, 2011\n                      Prepared for and Responded to the Austin\n                      Incident\n3     2011-20-111     Continued Centralization of the Windows        September 23, 2011\n                      Environment Would Improve Administration\n                      and Security Efficiencies\n4     2012-IE-R002 Internal Revenue Service Contract Security         January 10, 2012\n                   Guard Workforce Inspection\n5     2012-20-019     The Computer Security Incident Response         March 12, 2012\n                      Center Is Effectively Performing Most of Its\n                      Responsibilities, but Further Improvements\n                      Are Needed\n6     2012-20-029     Virtual Server Technology Has Been              March 30, 2012\n                      Successfully Implemented, but Additional\n                      Actions Are Needed to Further Reduce the\n                      Number of Servers and Increase Savings\n7     2012-20-041     Disaster Recovery Testing Is Being                May 3, 2012\n                      Adequately Performed, but Problem\n                      Reporting and Tracking Can Be Improved\n\n\n\n                                                                                 Page 32\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n\n       Report\n      Reference\n      or (Audit)                                                           Report\nNo.    Number                        Report Title                      Issuance Date\n\n8     2012-20-051    Customer Account Data Engine 2                    May 16, 2012\n                     Performance and Capacity Is Sufficient, but\n                     Actions Are Needed to Improve Testing\n9     2012-43-064    Affordable Care Act: Planning Efforts for the     June 14, 2012\n                     Tax Provisions of the Patient Protection and\n                     Affordable Care Act Appear Adequate;\n                     However, the Resource Estimation Process\n                     Needs Improvement\n10    2012-10-074    Accounting for the Austin Incident                July 10, 2012\n\n\n11    2012-10-075    An Independent Risk Assessment of Facility        July 25, 2012\n                     Physical Security Was Not Performed in\n                     Compliance With Contract Requirements\n12    2012-20-086    The End-User Equipment and Services              August 14, 2012\n                     Organization Successfully Planned Its\n                     Reorganization; However, Program\n                     Measures and Efficiencies Can Be Improved \xc2\xa0\n13    2012-40-116    While Use of the Modernized e-File System       September 19, 2012\n                     for Individual Tax Returns Has Increased, the\n                     Legacy e-File System Is Still Needed As a\n                     Backup\n14    2012-20-099    Audit Trails Did Not Comply With Standards      September 20, 2012\n                     or Fully Support Investigations of\n                     Unauthorized Disclosure of Taxpayer Data\n15    2012-20-107    The Information Technology Organization         September 21, 2012\n                     Needs to Implement a Competency Database\n                     to Efficiently Manage Its Workforce\n16    2012-20-112    An Enterprise Approach Is Needed to Address     September 25, 2012\n                     the Security Risk of Unpatched Computers\n\n\n                                                                                Page 33\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n\n       Report\n      Reference\n      or (Audit)                                                           Report\nNo.    Number                        Report Title                      Issuance Date\n\n17    2012-20-122    Customer Account Data Engine 2 (CADE 2):        September 28, 2012\n                     System Requirements and Testing Processes\n                     Need Improvements\n18    2012-20-121    Despite Steps Taken to Increase Electronic      September 27, 2012\n                     Returns, Unresolved Modernized e-File\n                     System Risks Will Delay the Retirement of the\n                     Legacy e-File System and Implementation of\n                     Business Forms\n19    2012-20-109    The Customer Account Data Engine 2              September 27, 2012\n                     Database Was Initialized; However,\n                     Database and Security Risks Remain, and\n                     Initial Timeframes to Provide Data to Three\n                     Downstream Systems May Not Be Met\n\n20    2012-20-115    Using SmartID Cards to Access Computer          September 28, 2012\n                     Systems Is Taking Longer Than Expected\n\n\n\n\n                                                                                Page 34\n\x0c                Annual Assessment of the Internal Revenue Service\n                         Information Technology Program\n\n\n\n                                                                                 Appendix V\n\n        Number of Internal Revenue Service\n        Information Technology Employees\n\n                                                                Number of\n                                                                Employees\n                IRS Information Technology                     June 30, 2012\n        Applications Development                                   2,321\n        Enterprise Services                                          280\n        Strategy and Planning                                        322\n        User and Network Services                                  1,692\n        Enterprise Operations                                      1,717\n        Cybersecurity                                                382\n        Affordable Care Act Program Management Office                288\n        Management Services                                          146\n        Customer Account Data Engine Program                          70\n        Management Office\n        Chief Technology Officer Office                                4\n        Deputy Chief Information Officer for Strategy and              4\n        Modernization\n        Deputy Chief Information Officer for Operations                2\n        TOTAL                                                      7,228\nSource: Treasury Integrated Management Information System as of June 30, 2012.\n\n\n\n\n                                                                                      Page 35\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n                                                                               Appendix VI\n\n                             Glossary of Terms\n\n           Term                                         Definition\nAudit Trails                A record of events occurring on a computer from system and\n                            application processes as well as user activity.\nBest Practice               A technique or methodology that, through experience and\n                            research, has proven to lead to a desired result.\nBusiness Master File        The database on which the IRS stores business taxpayers\xe2\x80\x99 data.\nBusiness Systems            The Business Systems Modernization Program, which began in\nModernization               1999, is a complex effort to modernize the IRS\xe2\x80\x99s technology and\n                            related business processes.\nCampus                      The data processing arm of the IRS. The campuses process paper\n                            and electronic submissions, correct errors, and forward data to\n                            the Computer Centers for analysis and posting to taxpayer\n                            accounts.\nCertification and           A process to provide assurance that adequate security controls are\nAccreditation               in place over computer systems.\nCompetency                  An observable, measurable skill set of skills, knowledge,\n                            abilities, behaviors, and other characteristics an individual needs\n                            to successfully perform work roles or occupational functions.\n                            Competencies are typically required at different levels of\n                            proficiency depending on the specific work role or occupational\n                            function. Competencies can help ensure individual and team\n                            performance aligns with the organization\xe2\x80\x99s mission and strategic\n                            direction.\nComputing Centers           Support tax processing and information management through a\n                            data processing and telecommunications infrastructure.\nConfiguration Management    A collection of activities focused on establishing and maintaining\n                            the integrity of products and systems, through control of the\n                            processes for initializing, changing, and monitoring the\n                            configurations of those products and systems.\n\n\n                                                                                        Page 36\n\x0c                    Annual Assessment of the Internal Revenue Service\n                             Information Technology Program\n\n\n\n\n          Term                                        Definition\nContinuous Monitoring     Maintaining ongoing awareness of information security,\n                          vulnerabilities, and threats to support organizational risk\n                          management decisions.\nCustomer Account Data     Creates a modernized processing and data-centric infrastructure\nEngine 2 (CADE 2)         that will enable the IRS to improve the accuracy and speed of\n                          individual taxpayer account processing, enhance the customer\n                          experience through improved access to account information, and\n                          increase the effectiveness and efficiency of agency operations.\nDefault                   Controls or settings of computer hardware or software as preset\n                          by its manufacturer. Some types of default settings may be\n                          altered or customized by the user.\nDenial of Service         The prevention of authorized access to resources or the delaying\n                          of time-critical operations.\nEarned Value Management   A structured process used to manage major investments, which\n                          integrates the scope of work with schedule and cost elements for\n                          better planning and control.\nEarned Value Management   Quarterly data that shall be provided to the Department of the\nData                      Treasury. This data must be entered into the Department of the\n                          Treasury portfolio management tool and obtained from the\n                          Bureau\xe2\x80\x99s Earned Value Management System to fulfill\n                          Department of the Treasury and Office of Management and\n                          Budget reporting requirements.\nEarned Value Management   A system that the Office of Management and Budget requires\nSystem                    Federal agencies use to manage all major IT investments with\n                          development/modernization/enhancements activities.\nFederal Information       Legislation that requires the Inspector General to perform an\nSecurity Management Act   annual independent evaluation of each Federal agency\xe2\x80\x99s\nof 2002                   information security policies, procedures, and practices, as well\n                          as evaluate its compliance with this law.\nFiling Season             The period from January through mid-April when most\n                          individual income tax returns are filed.\nFiscal Year               A 12-consecutive-month period ending on the last day of any\n                          month except December. The Federal Government\xe2\x80\x99s fiscal year\n                          begins on October 1 and ends on September 30.\n\n                                                                                        Page 37\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n\n           Term                                           Definition\nHomeland Security             This directive established a new standard for issuing and\nPresidential Directive-12     maintaining identification badges (also known as Personal\n(HSPD) Personal Identity      Identity Verification cards) for Federal employees and\nVerification Card             contractors entering Government facilities and accessing\n                              computer systems.\nHuman Capital                 Defined by the National Academy of Public Administration as\n                              the \xe2\x80\x9cidentification of competencies and skills needed to realize an\n                              organization\xe2\x80\x99s operating goals.\xe2\x80\x9d According to the GAO,\n                              acquiring and developing staffs whose size and skills meet\n                              agency needs is one of the most pervasive challenges facing the\n                              Federal Government.\nIndividual Master File        The IRS database on which the IRS stores individual taxpayers\xe2\x80\x99\n                              data.\nInformation Reporting and     The IRS established this program to create the infrastructure\nDocument Matching             needed to implement two pieces of tax-gap legislation related to\n                              third-party reporting.\nIntegrated Data Retrieval     Manages data that was extracted from the Corporate Account\nSystem                        Data Stores (Business Master File, Employee Plans Master File,\n                              Individual Master File, and CADE) allowing IRS employees to\n                              take specific actions on taxpayer account issues, track status, and\n                              post transaction updates to the Master Files. It provides for\n                              systemic review of case status and notice issuance based on case\n                              criteria, alleviating staffing needs and providing consistency in\n                              case control.\nJAVA                          A general purpose, concurrent, class-based, object-oriented\n                              language that is specifically designed to have as few\n                              implementation dependencies as possible.\nMalicious Code                The term used to describe any code in any part of a software\n                              system or script that is intended to cause undesired effects,\n                              security breaches, or damage to a system. Malicious code\n                              describes a broad category of system security terms that includes\n                              attack scripts, viruses, worms, Trojan horses, backdoors, and\n                              malicious active content.\n\n\n\n\n                                                                                          Page 38\n\x0c                        Annual Assessment of the Internal Revenue Service\n                                 Information Technology Program\n\n\n\n\n            Term                                          Definition\nMaterial Weakness            Office of Management and Budget Circular A-123,\n                             Management\xe2\x80\x99s Responsibility for Internal Control, dated\n                             December 2004, defines a material weakness as any condition an\n                             agency head determines to be significant enough to be reported\n                             outside the agency.\nMilestone                    The \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a project; it is sometimes\n                             associated with funding approval to proceed.\nMitigation Strategies        Strategies used to avoid or lessen the number or severity of\n                             involuntary personnel actions that result from an organization\n                             change, e.g., Voluntary Early Retirement Authority, Voluntary\n                             Separation Incentive Payment, Job Swaps, Grade and Pay\n                             Retention.\nModernized e-File (MeF)      The MeF project develops a modernized, web-based platform for\n                             filing approximately 330 IRS forms electronically, beginning\n                             with the Form 1120, U.S. Corporation Income Tax Return, Form\n                             1120S, U.S. Income Tax Return for an S Corporation, and Form\n                             990, Return of Organization Exempt From Income Tax. The\n                             project serves to streamline filing processes and reduce the costs\n                             associated with a paper-based process.\nPatch Management             The process by which an organization installs patches, which are\n                             fixes or updates to computer programs, operating systems, or\n                             applications.\nRelease                      A specific edition of software.\nResource Contention          Occurs when multiple projects have the same skill-set needs, but\n                             there are not enough resources available to fill the total skill-set\n                             needs.\nStructured Query Language    A type of attack where a malicious entity sends specially crafted\n(SQL) Injection              input to the content generator. The input includes a specific SQL\n                             command string that, when submitted unfiltered to a SQL\n                             database server, potentially returns to the attacker any or all of\n                             the information stored in the database. SQL injections and other\n                             attacks are used to execute commands or gain unauthorized\n                             access to the Web server or a backend database server.\nTaxpayer Information File    A file containing entity and tax data processed at a given service\n                             center for all Taxpayer Identification Numbers.\n\n                                                                                          Page 39\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n\n           Term                                         Definition\nVirtual Server               A virtual server is not a physical machine. It co-resides and\n                             shares computer resources with other virtual servers on a physical\n                             computer or host.\nVoluntary Early Retirement   An opportunity to retire in advance of meeting the age and/or\nAuthority                    service requirements normally needed for retirement.\nVoluntary Separation         Commonly referred to as buyouts. Lump-sum payments of up to\nIncentive Payment            $25,000 paid to specifically impacted employees to enhance\n                             resignation or retirement. Buyouts are targeted at employees in\n                             specific grades, series, and locations and are used to help avoid\n                             Reductions in Force and minimize involuntary separations.\n                             Agencies, including the IRS, must obtain authority to offer\n                             buyouts to their employees from the Office of Personnel\n                             Management.\nWintel Server                A server running a Microsoft Windows operating system with an\n                             Intel microprocessor.\nWorkforce Planning           A process whereby a strategic plan is developed which sets the\n                             organization\xe2\x80\x99s objectives for competency development and\n                             workforce activities. These objectives are supported by\n                             workforce allocation with each organizational unit to satisfy both\n                             unit needs and strategic objectives. The workforce planning\n                             process fundamentally involves identifying the gap between the\n                             existing workforce supply and the future workforce competency\n                             needs and position requirements based on projected workload\n                             and strategic objectives. The plan may also enumerate or\n                             recommend closing gap strategies and or options for the Senior\n                             Leadership Team.\n\n\n\n\n                                                                                        Page 40\n\x0c'